Tresorit adds file restore to its e2e encrypted cloud storage service


Europe-based cloud storage startup Tresorit, which mainly focuses on selling to small to medium size businesses, has added a file restore feature to its e2e encrypted cloud storage platform. It’s touting this as a helpful feature if you’re trying to recover from a ransomware attack.

Or, more prosaically, if you’ve accidentally deleted something.

Here’s a GIF showing the file recovery feature in action:

The file restore feature covers files stored in Tresorit’s cloud and files synced locally to a user’s devices.

Obviously, if files are only stored locally and not backed up or synced to Tresorit’s cloud there’s no fallback restoration in the event of a ransomware infection. (While files stored in Tresorit’s cloud that not synced locally would not be affected by any local ransomware infection.)

Tresorit already had a file versioning feature, which allows users to recover any previously saved versions of their files. But it says the addition of file restore helps mitigate the types of ransomware attacks that encrypt files without deleting them first.

There’s no time limitation on the file restore option. Files can always be recovered so long as
the user hasn’t confirmed permanent deletion.

Which does mean, over time, the feature may end up eating into your storage limit — at least if you don’t tidy up and fully delete files you no longer need.

“Non-permanently deleted items count towards the storage space of a user. So, it requires some ‘housekeeping’ from the user,” confirms a Tresorit spokeswoman. “But it is easy to get rid of all these deleted items that a user doesn’t need by selecting ‘Remove deleted items’.”

Also helpful: Tresorit has announced it’s doubling the amount of storage space it offers for individual plans — with its premium (aimed at individuals) and solo (freelancers and professionals) plan users now getting 200GB and 200TB respectively.

Today it’s also introduced a new basic plan which it describes as a “more capable” free version —  intended to help external collaboration between its business users and their clients or partners (who may not be Tresorit users).

Last year it launched free subscriptions for NGOs and activists for whom strong privacy is not just a nice to have. And the spokeswoman tells us more than 100,000 people are now using its tools — which includes both consumer (so some non-paying) and business users.

“Almost two-thirds of our customers are European, led by the traditionally security and privacy conscious countries like Germany and Switzerland. The next biggest European markets are the UK and the Benelux-states. The second largest region is North-America (mostly the US),” she says, adding that Europe’s incoming update to its data protection framework is also driving local uptake.

“With only a few months to go until the GDPR, we are seeing an even higher demand for secure, end-to-end encrypted online services with European data centers. A lot of smaller companies are just starting the preparation for the GDPR, and looking for secure services they can easily switch to.”

Tresorit’s zero-knowledge e2e encryption architecture means that, unlike cloud storage giants like Dropbox, it cannot decrypt and access users’ files. So it cannot be subpoenaed to hand over content data itself.

Although it can provide some user and service activity data in exchange to lawful requests — such as names, email addresses, billing details and so on. The company recently started publishing a Transparency Report to list any government data requests it receives and provide details on how it handles such requests.

“During the period covered in this (from September 24, 2013, to November 30, 2017), we received one informal request from a Swiss police authority to retain certain user data, however, as there was no official decision by Swiss authorities on this case, in the end, we didn’t hand over any data,” the spokeswoman tells us.

“As a Swiss company, Tresorit is primarily subject to Swiss jurisdiction regarding data protection and criminal procedures. Without an official decision by a Swiss cantonal or federal authority, no information can be provided to foreign requests.”

Chef InSpec 2.0 helps automate security compliance in cloud apps


How many times do you hear about a company exposing sensitive data because they forgot to lock down a data repository on Amazon? It happens surprisingly often. Chef wants to help developers and operations teams prevent that kind of incident. Today, the company released InSpec 2.0, which is designed to help automate applications security and compliance in the cloud.

InSpec is a free open source tool that enables development teams to express security and compliance rules as code. Version 1.0 was about ensuring that applications were set up properly. The new version extends this capability to the cloud where companies are running the applications, allowing teams to test and write rules for compliance with cloud security policy. It supports AWS and Azure and comes with 30 common configurations out of the box including Docker, IIS, NGINX and PostgreSQL.

Companies running multiple applications across multiple clouds face challenges in today’s continuous development environment. It’s actually fairly easy to leave that database exposed when it’s up to humans to continuously monitor if it’s in compliance or not.

Chef wants to help with that problem by offering a tool to automate compliance. It takes some work in getting the security, development and operations teams together to discuss what needs to be locked down, but once they come to an agreement, they can to use InSpec to write rules to validate proper cloud configurations using the InSpec scripting language.

Chef’s director of product marketing Julian Dunn says that anyone used to using scripting languages should be able to pick it up. “A language like InSpec allows customers to customize and write the rules specific to the cloud they are in and specific to their cloud deployment and check things they care about it,” he said.

Scripting language example. Code sample: Chef

“The language is designed to be easy to read and write. It’s intended for security engineering folks who don’t have programming background, but have scripting experience,” Dunn added. Once you write these scripts, you can run tests against your code, see which areas out of compliance and take steps to fix them.

InSpec was created via the acquisition of VulcanoSec, a German compliance and security firm that Chef purchased in 2015. InSpec 2.0 is open source and available for download on Github.

Featured Image: Roy Scott/Getty Images

Sqreen wants to become the IFTTT of web app security


French startup Sqreen recently launched a Security Hub with dozens of plugins to put you in control of the security of your web app. In many ways, it feels like enabling tasks on popular automation service IFTTT.

Sqreen participated in TechCrunch’s Startup Battlefield and Y Combinator’s current batch. The vision of the product hasn’t changed. Sqreen lets you protect your web service with little effort from your side.

Big companies have dedicated security teams that protect services, try to run attacks to find weaknesses and more. Smaller companies don’t necessarily have enough time and money to build a dedicated team. But your product is still vulnerable to SQL injections, XSS attacks and brute-force attacks.

Sqreen isn’t a firewall. You just have to install a library package on your server and add a couple of lines at the top your source code to require the Sqreen module in your application.

Once this is done, Sqreen monitors attacks in real time without a big performance hit — the startup says there’s a 4 percent CPU overhead. Sqreen now works for web apps in Node.js, Ruby, PHP, Python or Java.

In addition to protecting you against common attacks, Sqreen makes security recommendations so that you can regularly fix vulnerabilities. And with GDPR coming soon, tech companies have a greater responsibility when it comes to protecting customer data and disclosing hacks.

Customers wanted to know more about what Sqreen was doing. That’s why Sqreen launched a security hub with documented plugins.

“All security vendors are very secretive,” Sqreen co-founder and CEO Pierre Betouin. “Usually, you can’t test the product and you have no information on what they do. We were like this at the beginning of Sqreen. Our positioning was really ‘install our library and we’ll cover a range of security features.’”

“We had a big push back. So we wondered how we could be more transparent, provide something more rational. We explain each plugin completely.”

You can find a plugin to protect you against SQLite injections, vulnerable dependencies, XSS Javascript injections in various frameworks, bot activity, etc.

Sqreen will recommend plugins for your app depending on the technologies and frameworks you’re using. You can then enable or disable each plugin and configure notifications on Slack or PagerDuty for instance.

In the future, you can imagine that third-party companies could contribute to this marketplace and add new plugins. Sqreen is also working on other plugins related to email abuse and payment page protection.

In addition to those new features, Betouin is moving to San Francisco and opening an office there. Companies like Front, Mindbody, BlaBlaCar, Triplebyte, Toptal and Algolia are now using Sqreen.

Facebook didn’t mean to send spam texts to two-factor authentication users


Facebook Chief Security Officer Alex Stamos apologized for spam texts that were incorrectly sent to users who had activated two-factor authentication. The company is working on a fix, and you won’t receive non-security-related text messages if you never signed up for those notifications.

Facebook says it was a bug. But calling it a bug is a bit too easy — it’s a feature that was badly implemented as it’s clear that Facebook has been treating all phone numbers the same way. It doesn’t matter if you add your phone number for security reasons or to receive notifications. Facebook put all of them in the same bucket. It’s poor design, not a bug.

“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused,” Stamos wrote. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

And yet, this is particularly bad because it creates a bad narrative around two-factor authentication. While Facebook lets you use a code generator mobile app or a U2F USB key, many people rely on text messages for two-factor authentication. It’s a second layer of security so that strangers who have your password can’t connect without the second factor.

Everyone should enable two-factor authentication. But people might hesitate now that they know Facebook has used a security feature to improve engagement in the past. I’d recommend turning it on with a code generator.

Does it mean tech publications shouldn’t have shared this information? Of course not (and I’m looking at you, former Facebook security engineer Alec Muffett). If nobody had written about the issue, Facebook would still be spamming users and sharing great engagement numbers in its quarterly earnings release.

The fact that Facebook poorly implemented a security feature is… Facebook’s fault.

In addition to that, Facebook is also disabling posting to Facebook via text messages altogether. Earlier this week, a tweet went viral as Gabriel Lewis tried disabling those text notifications and ended up sharing posts on Facebook:

The company says that this feature may have been useful at some point when smartphones were less popular, but there’s no reason to keep it around now.

Featured Image: Facebook

People are trolling iPhone users with the ‘killer symbol’ that crashes their apps


Surprise! Assorted jerks on the internet have weaponized the unicode-based bug we reported yesterday to insta-crash apps running on an iPhone or a Mac. The result is somewhere between the old Alt + F4 trick and a script kiddie stunt and it ranges from being annoying to rendering a device unusable, depending on the tenacity of the troll.

The bug causes many iOS and Mac apps to crash when rendering two characters in Telugu, a south Indian language. While anyone can avoid viewing the symbols themselves, problems arise when someone ill-intentioned starts spamming out the symbols or sending them directly to devices where they will be received as a notification.

Droves of Twitter users have taken to tweeting the symbols out over the last day with messages like “read this to log off instantly” and “retweet this to crash anyone using an Apple device,” though luckily most of them don’t have many followers. Still, if the symbol shows up in your @ replies or in the handle of someone who likes one of your tweets, then it’s game over for whatever app you have open (Motherboard writer Joseph Cox learned this the hard way). From what we’ve observed, the only way to get an app working again is to reinstall it from scratch — a time consuming process, especially if a troll just crashes it all over again.

As captured on Twitter, one security researcher added one of the symbols to his Uber handle as an experiment. “I suspect a crashed phone means you get routed to the next driver… who gets crashed too. Like an Uber routing worm” he wrote. We reached out to Uber to see if they’re aware of the issue and will update when we hear back.

For now, most of the trolling seems to be on Twitter. A search on both Facebook and Reddit yielded conspicuously few signs of Telugu trolling, so it appears that those platforms may have taken steps to limit the fallout from the iPhone-killing unicode symbols.

Meanwhile, a thorough blog post by a Mozilla engineer Manish Goregaokar suggests that the scope of the unicode bug could be broader than the two symbols we know. “… From some experimentation, this bug seemed to occur for any pair of Telugu consonants with a vowel, as long as the vowel is not ై (ai),” he wrote. His findings so far:

“So, ultimately, the full set of cases that cause the crash are:

Any sequence <consonant1, virama, consonant2, ZWNJ, vowel> in Devanagari, Bengali, and Telugu, where:

consonant2 is suffix-joining – i.e. र, র, য, and all Telugu consonants
If consonant2 is र or র, consonant1 is not the same letter (or a variant, like ৰ)
vowel is not ై or ৌ”

TechCrunch has reached out to Twitter, Facebook and Reddit to see how those platforms are handling the bug, which is particularly destructive when blasted out on an open social network. We’ve also been in touch with Apple and they’ve confirmed that there is a “dot update” fix coming soon, though declined to confirm if it would be iOS 11.2.6. Apple noted that the bug is fixed in current betas of iOS, tvOS, macOS and watchOS.

Featured Image: Jane_Kelly/Getty Images (IMAGE HAS BEEN MODIFIED)

People are trolling iPhone users with the ‘killer symbol’ that crashes their apps


Surprise! Assorted jerks on the internet have weaponized the unicode-based bug we reported yesterday to insta-crash apps running on an iPhone or a Mac. The result is somewhere between the old Alt + F4 trick and a script kiddie stunt and it ranges from being annoying to rendering a device unusable, depending on the tenacity of the troll.

The bug causes many iOS and Mac apps to crash when rendering two characters in Telugu, a south Indian language. While anyone can avoid viewing the symbols themselves, problems arise when someone ill-intentioned starts spamming out the symbols or sending them directly to devices where they will be received as a notification.

Droves of Twitter users have taken to tweeting the symbols out over the last day with messages like “read this to log off instantly” and “retweet this to crash anyone using an Apple device,” though luckily most of them don’t have many followers. Still, if the symbol shows up in your @ replies or in the handle of someone who likes one of your tweets, then it’s game over for whatever app you have open (Motherboard writer Joseph Cox learned this the hard way). From what we’ve observed, the only way to get an app working again is to reinstall it from scratch — a time consuming process, especially if a troll just crashes it all over again.

As captured on Twitter, one security researcher added one of the symbols to his Uber handle as an experiment. “I suspect a crashed phone means you get routed to the next driver… who gets crashed too. Like an Uber routing worm” he wrote. We reached out to Uber to see if they’re aware of the issue and will update when we hear back.

For now, most of the trolling seems to be on Twitter. A search on both Facebook and Reddit yielded conspicuously few signs of Telugu trolling, so it appears that those platforms may have taken steps to limit the fallout from the iPhone-killing unicode symbols.

Meanwhile, a thorough blog post by a Mozilla engineer Manish Goregaokar suggests that the scope of the unicode bug could be broader than the two symbols we know. “… From some experimentation, this bug seemed to occur for any pair of Telugu consonants with a vowel, as long as the vowel is not ై (ai),” he wrote. His findings so far:

“So, ultimately, the full set of cases that cause the crash are:

Any sequence <consonant1, virama, consonant2, ZWNJ, vowel> in Devanagari, Bengali, and Telugu, where:

consonant2 is suffix-joining – i.e. र, র, য, and all Telugu consonants
If consonant2 is र or র, consonant1 is not the same letter (or a variant, like ৰ)
vowel is not ై or ৌ”

TechCrunch has reached out to Twitter, Facebook and Reddit to see how those platforms are handling the bug, which is particularly destructive when blasted out on an open social network. We’ve also been in touch with Apple and they’ve confirmed that there is a “dot update” fix coming soon, though declined to confirm if it would be iOS 11.2.6. Apple noted that the bug is fixed in current betas of iOS, tvOS, macOS and watchOS.

Featured Image: Jane_Kelly/Getty Images (IMAGE HAS BEEN MODIFIED)

Oracle grabs Zenedge as it continues to beef up its cloud security play


Oracle announced yesterday that it intends to acquire Zenedge, a 4-year old hybrid security startup. They didn’t reveal a purchase price.

With Zenedge, Oracle gets a security service to add it to its growing cloud play. In this case, the company has products to protect customers whether in the cloud, on-prem or across hybrid environments.

The company offers a range of services from web application firewalls to distributed denial of service (DDoS) attack mitigation, bot management, API management and malware prevention. In addition, they operate a Security Operations Center (SOC) to help customers monitor their infrastructure against attack. Their software and the SOC help keep watch on over 800,000 websites and networks across the world, according to information supplied by Oracle.

Oracle says it will continue to build out Zenedge’s product offerings. “Oracle plans to continue investing in Zenedge and Oracle’s cloud infrastructure services. We expect this will include more functionality and capabilities at a quicker pace,” Oracle wrote in an FAQ on the deal (.pdf) published on their website.

Oracle’s recent acquisition history. Source: Crunchbase

Just this week Oracle announced that it was expanding its automation capabilities on its Platform as a Service offerings from databases to a range of areas including security. Ray Wang, founder and principal analyst at Constellation Research says the company is a good match as it also uses automation and artificial intelligence in its solution.

“Oracle is beefing up its security offerings in the cloud. They have one of the strongest cyber security platforms,” Wang told TechCrunch. “They also have a ton of automation that fits Oracle’s theme of autonomous,” he added.

Oracle is far behind cloud rivals as it came late to the game. Just this week, the company announced plans to build a dozen data centers around the world over the next two years. They are combining an aggressive acquisition strategy and rapid data center expansion in an effort to catch up with competitors like AWS, Microsoft and Google.

Zenedge launched in 2014 and has raised $13.7 million, a modest amount for a cloud-based security service. Oracle says customers and partners can continue to deal with Zenedge using their existing contacts.

Featured Image: Justin Sullivan/Getty Images